As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.

Quote:

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."

Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

I suppose at this point I'm willing to trade the 0-day security for Apple's ability to reach in and tweak settings.

Wow. The Apple fix for this is both elegant and scary - I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

The Xprotect background silent update feature was added to OS X back in Lion 10.7.3. It got extended in Mountain Lion to cover some other things, too - but even I do not know what all those are.

I tested it on mine and I definitely get the popup that Java is unsecure and out of date, and blocked - but I didn't have to do anything to get that update to xprotect.plist. No software update, no nothing. That's rather scary.

OS X systems check for an updated version of that file on a daily basis. It's primarily used for malware definitions, but can also be used to require minimum versions of certain plugins, as with Flash and Java.

Quote:

Originally Posted by KnightWRX

com.oracle.java.JavaAppletPlugin = Browser plug-in.

Apple has not blocked Java 7 on OS X.

Please correct the headline ASAP before this thread becomes a major flamewar.

You are of course correct, and I've updated accordingly to make things more clear.

Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.

__________________Oh do pay attention 007. In the wrong hands, this cylindrical 12-core Mac Pro with three 4K displays, FirePro graphics, and Thunderbolt 2 could be very dangerous.

Thanks for the fast action, Apple. Although it shows the tradeoff we've had to accept, that keeping up with the latest version can produce situations like this, with a discovered vulnerability for which there is no patch yet. Ironically, when Apple was a version behind, bleeding edge security issues would have been addressed by the time we Mac users got a Java release from Apple.

well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.

well to be fair it was a good trade off as Apple was piss poor on it and tend to lag months behind Java and left holes open for a lot longer. I expect a patch will be out pretty soon from Oracle to fix it.

All Oracle versions have been insecure. I'd rather have stability and security over latest and certainly not greatest. Lot's of stuff won't even run on 7 plug.

As a middleware and server platform Java is great. But when it comes to front end, it sucks like a tornado. Their widgets and the slow response times are horrible. Java was trying to be a "all in one" solution but it never got accepted.

I know the Mars rover interface is Java. But NASA engineers could have chosen the easy way out, you know run it on Linux and throw Java on top of it. Easy out of the box solution. I believe Android is based on such a platform, but I am not sure. No wonder it's so glitchy and jerky.